Обсуждение: Re: R?f. : RE: Running PostGre on DVD
> > > Ah, now we are making progress. If there was a way to > give up file > > > access permissions so you could no longer write files to, > say, the > > > Windows System directory, this would go a long way to solving the > > > issue. Currently, if the Postmaster runs as admin, anyone with > > > access to the database could use COPY to read and write > any file the > > > backend can access. > > > > Getting rid of the admin and powerusers group should do > that, I think. > > Look at pgwin32_is_admin(), it just checks if the user is > member of one of those two groups. I think we have your > solution right here... Oh, I know - I wrote it :-) You still lose in the nested group scenario. And whlie a privilege like backup/restore can be used to overwrite any file on the system, you must be able to execute arbitrary API calls to do that. Whereas with admin/powerusers you can just use COPY or whatever. Bottom line is that pgwin32_is_admin() is far from perfect, it just catches the most common scenarios. //Magnus
On Tue, Nov 15, 2005 at 10:29:34PM +0100, Magnus Hagander wrote: > You still lose in the nested group scenario. > > And whlie a privilege like backup/restore can be used to overwrite any > file on the system, you must be able to execute arbitrary API calls to > do that. Whereas with admin/powerusers you can just use COPY or > whatever. Well, like you said, what's the problem we're trying to solve. It seems to me that Windows doesn't have a clearly defined concept of "superuser" and hence it can't be tested for. Having seperate API points to access files that require different priviledges just makes it more complicated. There isn't a simple way to say, limit my access to this directory tree (like chroot())? Surely as admin you could create tokens and add them to the PGDATA directory and then allow only access to directories with that token. Since PostgreSQL doesn't actually require priviledges, couldn't you just enumerate and drop them all? Maybe allow a cripple mode where you refuse to load objects or allow COPY. Or run any functions in untrusted languages. Still seems to me to be a failure in the OS that you can't just say "drop everything except this". > Bottom line is that pgwin32_is_admin() is far from perfect, it just > catches the most common scenarios. My method would be: try to open file for writing in the Windows System directory. If that works you've got too much priviledge... Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.